Slashdot Mirror
Are Strong Passwords All That Strong?
pondering-on-passwords asks: "I work at a company that is planning to implement strong passwords to increase network security. Personally, I think that this may be counter productive since the passwords will tend to be more cryptic than most people are used to and I believe that they will write them down and leave them very close to their computers. I think this will be a greater risk for our traveling people using laptops. A strict security policy that is enforced may help some, but I still believe that people will end up making their passwords more accessible in the end. I am trying to find some information for or against implementing strong passwords, statistics on security breaches, etc. to back up my beliefs. Of particular interest would be material specifically on strong passwords, types of security breaches (i.e. social engineering, exploiting system vulnerabilities, password cracking, password theft, etc.), and possible alternative security methods (i.e. hardware tokens)."
The problem with this is that any common song, or poem, or story, etc, will also be known to any
;> )
determined attacker. [who can use a computer to generate all possible first letter (last letter, second letter, etc) combinations]
An improvement is to MAKE UP the phrase that you are using for your password, and do so using "funny" notions. "The Red car flies over the clocktower at 9:15" = TRcfotc915
(I suggest you don't use exactly that particular one
What I would prefer is a hardware token, like those gadgets that the gasoline companies are advertising for instant service at their pumps. The token could store a large number of random bits, and a processor that could use those bits to encrypt a response to a challenge from the computer.
The reason you have a password change policy is not to limit the amount of time an intruder can use an account (that is, as you pointed out, stupid).
The real reason is so to set a time limit on theoretical brute force attacks against your passwd file. Its still an open question if this is needed. Obviously you should have some variant of cracklib in your passwd program to thwart dictionary attacks.
Here's a very nice hardware token implementation.
Should be easier to sell to corporate as a combined physical security and network security solution. (Replacing keycards and network passwords.)
[-- Trust the Monkey --]
I think you probably mean John the Ripper
"The invisible and the non-existent look very much alike." -- Delos B. McKown
> I only need to view the paper for a second to break the security, while I'd have to remove your key, go get it copied, and return it.
A friend of mine is a prison officer. He told me he has inmates who can view a door key for a few seconds and then make a working copy from memory.
If you can get your hands on a key for a few seconds you can make a wax impression (assuming you planned in advance).
--
rant
Yeah, but cracking a 5-word DiceWare passphrase on any UNIX system is no more difficult than cracking an 8-character password on UNIX - crypt() uses 8 characters at most. That's it. The following 'passwords' are equivalent.
- "Where there's smoke there's fire"
- "Where the hell is the phone?"
- "Where thee going sire"
- "Where th"
Strong passwords by themselves are useless, as someone pointed out, against anything but a dictionary attack. Which is nearly impossible to run without getting access to the system in some other way to get something to crack against - theThis space for rent. Call 1-800-STEAK4U
This space for rent. Call 1-800-STEAK4U
And if the only UNIX flavor you run at your company is Linux, then you will be fine. However, crypt() is still the default method on most other unixes out there.
This space for rent. Call 1-800-STEAK4U
This space for rent. Call 1-800-STEAK4U
Using SSH|SSH2 with RSA|DSA authentication eliminates having to type passwords and is *much* more harder to beat than guessing passwords.
Ta da! I'm in.
grub
Trolling is a art,
I worked at Microsoft. They require strong passwords and they require that you change your password every 60 days (I think, it could be 90). You also aren't allowed to repeat your last 3 passwords. I only had trouble remembering my password when I would come back from vacation. Creating a password that I would remember was a bit more problematic. I would usually take an event, the book I was currently reading or a game, abreviate that and add numbers and punctuation to it.
Do not taunt Happy Fun Ball
If the company you work for wants to exceed the above requirements they should consider biometrics, smart cards, or any number of physical security methods. Not longer passwords.
On most *nix systems, yes. However, the MD5 algorithim (I believe it was first used for passwords in freebsd) allows for unlimited password lengths, and has been the default for most linux distributions for quite awhile now.
Maybe you just skipped it, but it sounds like the policy is missing an important issue.
What is the exposure to risk?
System-level root passwords need to be *hard*, if you use them at all. I generally create them with a recursive MD5 hash (with random salt mixed in) until I have a password with two uppercase, two lowercase, 2 punctuation, one digit, and one wildcard character. NOBODY will remember it, but nobody has to - these passwords are written onto a 3x5 card, sealed in an envelope, and locked up in a desk agaist truly dire circumstances.
Anyone with root access via sudo should be able to choose their own password intelligently. If their password is compromised, it's a mandatory written reprimand. This tends to make them careful about ensuring that they NEVER use unencrypted channels - no telnet, no ftp. This might seem harsh, but if a sysadmin is sloppy about choosing their password or tools then they're probably sloppy elsewhere, and repeated violations are grounds for serious concern.
As for everyone else - if an attacker can do much damage with these accounts then the finger still points at the sysadmins. The problem, in this case, isn't the bad password, it's the bad file permissions, unapplied security patches, etc.
For other reasons these users should still have reasonable passwords, but until you have shut off every single service that uses unencrypted or trivially encrypted traffic (telnet, ftp, pop3/imap, etc.) then you're just pissing in the wind if you're counting on them to protect your system. Check the password against cracklib to get users in the habit of choosing good passwords (e.g., no "bob2" passwords), but otherwise put your attention someplace where it will do some good.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
people don't carry around their passwords, they leave them at work -- unless its an ATM pin, number. Thouse they carry around.
These programs tend to make worthless passwords for people with weak vocabulary skills and as a result get written down.
Most computer breakins are inside jobs so the people you are protecting aginst do have access to such things as the post-it note on the monitor.
If you require a complex password, you must give people time to think about it and let them know the rules or else they will pick a bad password every time. Nothing will get a password written down faster than a computer insisting on complex password. The ones that won't tell you why a password is bad are even worse since people will give up and end up with "asdf" (which is in most crack dictionaries) and will be written down.
A written down password is a waste of time and effort -- you might as well just say the terimal is ok for that user and skip the user authentication step.
From time to time I have run experiments on getting users to gennerate their own good passwords. They tend to fail. In one US Gov department there were at least 25% of the people all picked (independatly as far as I could tell) "eagle1" as their password when given the wording "a password must be at least 5 characters and must contain a digit or a symbol".
Some rules for "good passwords" are just stupid. For example the rule that you can't use the same letter twice. That is a good way to keep the sholder surfers guessing.
If you start checking passwords aginst a dictionary, you end up getting most people that know a forien language to use a non-english word that is very likly to be "password" translated.
A friend of mine used to "hack" systems when he
was in high school. He had a list of 25 passwords that would get him in most places. He also is very good at socal engneering and had no real problem playing with anything he wanted.
I guess when it comes to passwords, we all know you can lose but it looks like you can't win either.
I have to disagree. I only need to view the paper for a second to break the security, while I'd have to remove your key, go get it copied, and return it.
If you're consulting that paper every time you log in, shoulder surfing becomes a real possibility.
Tom Swiss | the infamous tms | http://www.infamous.net/
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Say a user writes their password down on a sticky note, and places it in the bottom of their desk drawer (not locked). For another person to get that password the person has to have physical access to the desk and general computer area. If one has that much access, then one can easily install a keyboard monitor (program or hardware) and get the password that way.
It is not a matter of whether the user is going to write the password down or not. It is a matter of physical security.
-Adam
This sig 80% recycled bits, 20% post user.
I saw a new idea on passwording the other day, called passface. Realuser.com gives you a passface (five random pictures of UK college students) and you log in by chosing your passfaces in order out of a new 3x3 matrix of faces for each face.
sometimes we change our job, our friends, and our spouses, but we never change ourselves...
As a side note, if you want to see for yourself just how bad seemingly good passwords are, go download one of the many password cracking/checking programs out there and run the passwords you use through it. See just how fast it can be done. When we did our "break-in" lab for my Information Warfare class last semester, even most of the passwords that had been uncrackable in past semesters were broken. Gets that point across real fast. Basically, if your company is serious about increasing authentication security, they need to look at better ways than just requiring "strong" passwords.
---
"This message is composed of 100% recycled electrons."
As it turns out, his strategy was useless, because he *did* get cracked, but the attacker got in through a service vulnerability (the portmap bug in Red Hat Linux a few months ago).
So always remember that a security strategy is only as strong as its weakest part; and if you're going to use strong passwords (strong enough that even you have problems remembering them), you also have to make sure the rest of your security is as strong as that. Otherwise, just don't bother; use your own name as your password. :)
My obvious password detector from 1984 was one of the first attempts to deal with this problem. This tiny piece of code enforces a rule that passwords must have some 3-character sequences that don't occur in English words. With a small bitmapped table, this code knocks out every word in the UNIX dictionary, but only about 10% of randomly chosen strings. This is very old code, but it still works. Enjoy.
Users need not remember 12-character long strings of random digigs and characters. They just need a training course on how to pick a good password.
Pass phrases are probably the easiest remedy.
Just have your users pick a phrase from a current song that they like, and use the first letter from each word as a character in the password. Substitute numbers for certain characters, capitalize proper nouns etc. (e.g., She was a Sour Girl the day that she left me == SwaSGtdts1m)
Very easy to remember, but still pretty darn hard to crack. This way, they'll also be more forgiving about changing their password every few months. Leave Jack the Ripper running on a spare machine to audit weak passwords.
signature smigmature
- James
How about just memorizing a series of key strokes rather than using a familiar string as the password? You could remember starting with "a" then move 5 keys over which gives you a "h" and move on from there. The end result will be a string that has no meaning what so ever, but is still easily remembered. Mind you if you aren't using a QWERTY keyboard it might throw things off.
It's also a good idea to include different cases, numbers and quotations in the password. Of course if you use the method above remembering the right combo will be no problem.
__
I have to object to the usual assumption that users should never write down their passwords. Yes, it's a bad idea to leave it on a PostIt affixed to your monitor. But a slip of paper isn't that hard to secure -- no harder than, say, your front door key. So the question of making the password memorizable is really moot.
__
Add as many layers as you can think of to your security. For instance, I've set up /etc/profile so that it runs lastb|grep `id -un` for the user at login time. This lets the user see all failed logins and what time the attempt was made. When /var/run/btmp gets big enough, logrotate moves it and invokes a script to mail me the old one. A common variation on this is to print out a message, "There have been 35 failed attempts since your last successful login."
I think beyond a certain point, password strength is a joke. If passwd(1) is set up to disallow the usual variations on a username and dictionary attacks, the attacker will either have to either get lucky and find a user with a relatively weak password, or get ahold of /etc/shadow (in which case you'd have more serious problems to worry about...)
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
I always thought that the password nazis rarely, if ever accomplish anything.
At my shop, we require 8 digit passwords with at least 1 number and a punctuation symbol for most workers, which seems to be accurate enough.
I interviewed at one place where employees were issued a random sequence of characters that was changed every month. That is a complete waste of everybody's time and accomplishes nothing.
In my view, it makes more sense to increase security by moving to client-server apps and web-enabled applications versus granting shell access to as few as possible (in a Unix env).
In a windows environment, strict domain permissions and security policy are the only way to secure workstations.
Conformity is the jailer of freedom and enemy of growth. -JFK
One problem with many out-of-the-box password schemes is that they have too few characters. We are starting to see a trend to reasonable-length passwords (usually incorporating the use of a hash algorithm like MD5 to reduce the password to 64 bits) so that people can use a system of strong but easy-to-use passwords.
One scheme that seemed to work quite well was the system that Compuserve first started using, back when they were H&R Block: the password generator would select two words (each four to six characters long) and a punctuation mark, and combine them into a string. For example:
This scheme took advantage of the fact that the PDP-10 operating system H&R Block was using allowed for 12 characters in a password.
The key was that there were never two nouns, or two verbs, or two adjectives, or two pronouns. Sometimes the generated password would look like something from the original Adventure game, but it was still very hard to guess, and the dictionary attack required the attacker to try pairs of words coupled with selections from the punctuation mark string ".,/?+=*&$@!" and you have a fairly large universe of passwords to try -- around 640 million if you assume a total of 8000 words in the dictonaries. (Much of this is from memory; excuse me if I'm getting some of the details wrong.)
I never heard of a Compuserve password that was cracked in a pristine way. Every single crack I was aware of involved either social engineering or monitoring the user. Oh, I suppose that someone may have been able to do the job, but I never heard about it.
Now, if you have only eight characters to work with, you are out of luck. Sorry.
      possible keys in various key spaces
Letter type             4-byte    6-byte   8-byte
Lowercase letters        460,000   3.1E8    2.1E11
Lowercase letters/digits 1.7E6     2.2E9    2.8E12
Alphanumeric Characters  1.5E7     5.7E10   2.2E14
Printable Characters     8.1E7     7.4E11   6.6E15
ASCII characters         2.7E8     4.4E12   7.2E16
8bit ASCII Chars         4.3E9     2.8E14   1.8E19
You can figure out what kind of passwords that you wish to implement from this table. Remember that one order of magnitude is a huge difference, thus 8 length ASCII characters are *far* more secure than anything else.
offtopic rant... Rob, making tables on slashdot sux. You have to make it easier to do tables.
Keeping
The main caution is, don't write your passphrase down and leave it near your computer. Carry it with you.
Here's a Javascript page that I wrote to generate secure random passphrases, by the way.
There are some programs in the Debian distribution that aid with password generation - and some even make easier-to-remember passwords (although they invariably give up *some* security)
/dev/random feature of Linux, with the emphasis on security over pronounceability. It can also encrypt plaintext passwords given on the command line."
gpw "generates pronounceable passwords. It uses the statistics of three-letter combinations (trigraphs) taken from whatever dictionaries you feed it."
makepasswd "generates true random passwords by using the
pwgen "generates random, meaningless but pronounceable passwords. Depending on how the program was installed, these words contain either only lowercase letters, or upper and lower case mixed, or digits thrown in. Uppercase letters and digits are placed in a way that eases remembering their position when memorizing only the word."
I've been using Diceware as a way to generate easy to use, and yet fairly secure passphrases and passwords. There are some interesting statistics in the Diceware FAQ, like cracking a 5 word Diceware passphrase is equivalent to cracking a 64.6 bit symetric key using brute force. I doubt you could get a whole organization to use this method (you'd probably get busted for playing craps!), but it's still intriguing.
I agree with the above poster but I also believe that all passwords whould be tested. What I mean by tested is to see how common that word or set of characters are how easy to crack.
Run each password via a password cracker (there is an old but good one called crackerjack). and then run it via lophtcrack ( www.atstake.com ). If they crack easy then try something harder.
ONEPOINT
if you see me, smile and say hello.
I had not considered that! That is insightful, good modding. But then why do we only have to change passwords every 90 days? (typical policy at most companies I know, some are 60). How long does a brute-force attack take?
And if an intruder has a copy of your passwd file, doesn't that mean they got in? Doesn't everyone use shadow passwords? Don't you need common sense to get a job in computing security?
If all this should have a reason, we would be the last to know.
The counter arguement (which prevails at most companies) is that frequent password changes increase security. I've never seen any imperical data to support this claim. The logic is that if someone gains access via a stolen/guessed password, then forcing users to change passwords will close the intruder's door. Yeah, after 90 days! Meanwhile, they've had full access and could have created countless new accounts for themselves.
I've never seen a situation where this policy was coupled with required strong passwords, for the simple reason that (as you said) people who must frequently change strong passwords tend to forget them or, worse, write them down. That doesn't mean some places don't do this, just that I haven't seen it. I'd hate to work at a place like that.
Passwords alone are not enough. Sure, strong passwords are better than letting Bob's father pick "Bobby" or "R0b3r7" as a password, but how secure is a system where an intruder can roam undetected until their stolen password is changed? If you argue that frequent password changes are necessary, then you're admiting that you can't detect an intruder.
If you're paranoid about security and willing to consider other options, you should look into a physical system, such as the iButton. There are others, but this is a link I can quickly find :-)
If all this should have a reason, we would be the last to know.
*Buzz*! YOU are the weakest link! Goodbye!
Take a look at the Passphrase FAQ. Although it is meant for PGP it has some interesting information that is generally applicable to passwords, among others an estimation formula for the strength of different password types (section 4) and also an interesting scheme how to write down a password ("key splitting", section 6).
André Kostolany: 2+2 = 5 (minus 1) for t>>0
Bruce Schneier (I hate spelling his last name), author of the acclaimed Applied Cryptography, recently wrote Secrets and Lies. He basically reflects on Applied Cryptography and relates his real-world experience with cryptography. "Real-world" means 'social engineering, writing down passwords, etc' when said in context with Secrets and Lies. Of course he doesn't condone the abandonment of cryptography, but he points out some serious misgivings about our notions of security in terms of crytographic systems.
...because there will always be naïeve users on the network. The best you can hope for is educating all of your users and limit where incoming phone calls can come from. As for e-mail social engineering, I really can't think of something that you could do about it, other than simple education.
"I don't know that atheists should be considered citizens, nor should they be considered patriots." - George Bush